Purpose-driven organisations need to prepare for cyber attacks

Written By Mary Baines

Recent cyber incidents in Aotearoa - including the ManageMyHealth breach - are another reminder that cyber attacks are not just IT events. They are trust events. And how we communicate about them, and to our stakeholders, matters hugely.

As cyber threats increase across health, government and the community sector, it’s no longer a question of if an organisation will face an incident, but when. For charities and NGOs, the stakes are particularly high. We don’t just hold operational data - we hold deeply personal information about donors, clients, patients and people who already face vulnerability.

Having supported responses to cyber incidents - including the Waikato DHB ransomware attack, the largest cyberattack in New Zealand’s history, through my award-winning Master’s research on the topic and preparing organisations for the worst, I’ve seen the same communication challenges arise again and again.

Here are some of the key lessons purpose-driven organisations need to consider.

1. A cyber incident is a trust crisis, not just a technical one

When systems go down or data is compromised, the first questions people ask aren’t about servers or software. They are:

  • Am I safe?

  • Has my information been exposed?

  • Can I trust you to tell me the truth?

Yet many responses focus first on investigations, recovery timelines and technical fixes. While those are essential, they don’t address the emotional reality people are experiencing.

Lesson: Lead with people, not process. Acknowledge fear, frustration and uncertainty early, and make it clear that affected people are your first priority - not just system restoration.

2. Early acknowledgement matters more than perfect information

One of the most common communication mistakes in cyber incidents is waiting until everything is confirmed before saying anything meaningful. But silence, or vague holding statements, quickly creates an information vacuum. When that happens, people fill the gaps themselves, often assuming the worst.

In previous cyber responses, delays in communication damaged confidence even when technical recovery was progressing well behind the scenes.

Lesson: Say what you know, what you don’t yet know, and when people can expect another update. Early acknowledgement builds credibility, even when details are still emerging.

3. But be careful not to give information to the attacker

Cyber incidents differ from many other crises because the perpetrator is often actively monitoring what’s being said publicly.

During the Waikato DHB response, communications teams had to constantly balance transparency with the risk of giving the attacker information that could:

  • help them reinfiltrate systems

  • encourage them to escalate the attack

  • or deliberately contradict public statements to cause further harm

This meant some details had to be withheld - not to avoid accountability, but to reduce further risk.

Lesson: Transparency remains critical, but it must be balanced with cybersecurity considerations. This requires strong coordination between IT, legal, leadership and communications, and clear decision-making processes before an incident happens.

4. Don’t position your organisation as the victim

Even when an organisation has clearly been targeted, stakeholders don’t want messaging that centres organisational hardship.

People who are worried about their data, identity or safety don’t respond well to narratives that frame the organisation as the primary victim.

What they want to hear is:

  • acknowledgement of impact

  • acceptance that protections failed

  • and commitment to fixing what went wrong

Lesson: Communicate with empathy and ownership. Avoid defensive language and avoid positioning your organisation as the main casualty of the incident.

5. Too much technical language creates distance

Cyber responses often rely on phrases like:

  • “bad actor”

  • “unauthorised access”

  • “systems impacted”

  • “no evidence of misuse at this stage”

While technically accurate, this language doesn’t help people understand what the situation means for them personally. When people don’t understand what you’re saying, they don’t feel reassured - they feel excluded.

Lesson: Translate cyber risk into human terms. Explain what this could mean for individuals and what practical steps they should consider, even if those steps are simply staying alert or changing passwords.

6. Staff and partners are critical trust-builders

One of the strongest elements of past cyber responses in the health sector was the way staff were publicly acknowledged for keeping services running under extreme pressure.

This didn’t just support morale, it helped reinforce that real people were working hard to protect patients and restore care.

For NGOs and charities, trust doesn’t just sit with the brand - it sits with the people delivering services every day. That means frontline staff, volunteers and community partners need to be informed, supported and equipped to answer questions, because they are often the first - and most trusted - source of information for the people we serve.

Lesson: Acknowledge and elevate the people doing the work through both internal and external communications channels. Equip and support your people with the right information.

Why this matters so much for charities and NGOs

Purpose-driven organisations rely on trust more than most. We hold donor financial data, sensitive client and beneficiary information and highly personal stories and circumstances, among other things.

And a poorly handled cyber response can undermine years of relationship-building in a matter of days.

Preparation isn’t about predicting the exact attack. It’s about being ready to respond in a way that protects both people and public confidence.

How Baines can help

Cyber incidents are not the time to be working out:

  • who approves messaging

  • how IT, legal and comms coordinate

  • what leaders should say publicly

  • how often stakeholders should be updated

At Baines, I support purpose-driven organisations to:

  • develop cyber and crisis communications playbooks

  • clarify roles and escalation pathways

  • prepare leaders and spokespeople for cyber scenarios

  • and provide hands-on communications support when incidents occur

Because when something goes wrong, you don’t want to be building your response from scratch.

If your organisation holds sensitive data - and most of us do - now is the time to be thinking seriously about how you would communicate if the worst happened.

Mary Baines
Previous

What charity leaders want from their comms team: Lessons from a seasoned CE
Next

Humans first, automation second - Not-for-profits and the AI challenge